Dashboards & Visualizations

How to tie static token values to populated chart data?

zach5871
Explorer

I'm trying to alter my current search to use the static token options I setup rather than raw numbers I have to later convert. How can I transpose those values from the site_token to my chart data? By the way I'm new...

index="fe_test" sourcetype=fe_xml source=$site_token$ $group_token$ | top limit=25 site_code

Thanks!

Tags (1)
0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Other comments and discovery in the other answer led to this:

If we step back a second, I wonder if the real answer to your problem is an automatic lookup of those values? With that, you could use "Rainsburg" everywhere. Might take a bit of re-thinking, but not too much and I think the benefits would outweigh the extra effort.

It's a bit of a bigger topic to have here, but luckily Splunk docs are awesome and include how to include a CSV lookup.

If this seems like the way to go or at least a way forward, give it a try and ask back if you get stuck anywhere! I think it's worth a shot - I use them all over, and it just makes the situations you describe "go away" by letting you just use "Rainsburg" everywhere.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Other comments and discovery in the other answer led to this:

If we step back a second, I wonder if the real answer to your problem is an automatic lookup of those values? With that, you could use "Rainsburg" everywhere. Might take a bit of re-thinking, but not too much and I think the benefits would outweigh the extra effort.

It's a bit of a bigger topic to have here, but luckily Splunk docs are awesome and include how to include a CSV lookup.

If this seems like the way to go or at least a way forward, give it a try and ask back if you get stuck anywhere! I think it's worth a shot - I use them all over, and it just makes the situations you describe "go away" by letting you just use "Rainsburg" everywhere.

zach5871
Explorer

Perfect! at least by the sound of it. Let me do some homework and see what I can come up with. Thanks again!

0 Karma

Richfez
SplunkTrust
SplunkTrust

Great, let us know how that goes and if you have any problems be sure to ask! (It might be useful to create a new Question specific to that problem if you have questions about that process that seem to be non-trivial).

I suggest leaving this thread/answer unaccepted at least until you feel the lookup is the right way to go and it solves your problem. When (if) that happens, we can rearrange this thread a bit to make it easy to follow for others searching this in the future.

0 Karma

zach5871
Explorer

Exactly what I was searching for, my question was just way off. Thanks for the great help. This solves my problem.

0 Karma

Richfez
SplunkTrust
SplunkTrust

First, WELCOME!

Second, from the words you are using it sounds like you have all the pieces in place or are at least very close, so let me just try a recap and see what maybe you've missed. Details/instructions or links for each/any of the below that are missing can be provided once we determine what's left to be done. If you even need them. 🙂

1) Create chart, graph or other output and add it to a dashboard. View that dashboard.

2) Edit the dashboard panels from the button in the upper right and add an input - let's say this is a text box. Set the token value to site_token. Set default to * and initial value to *. Make sure "search on change" is set.

3) Still in Edit Panels mode, on the panel you want to change, click the Search icon and "Edit Search String".

4) Adjust search string. In my meaningless but working example I cobbled up from my home PF firewall logs, I changed

source="/var/log/pf.log" | timechart count by interface limit=10

to

source="/var/log/pf.log" interface=$site_token$ | timechart count by interface limit=10

Then...

5) Save/apply/whatever button you have, go to the text box and type * in it and press enter. Then try another value - note there's no wildcarding in there at the moment so you have to supply your own, like bg* (if I had more than one bge interface...).

In addition, I had to try a few times before I got my first one of these right - the dashboard and inputs tutorial is pretty good, but you have to follow it closely and I had to try twice or three times... In general, the docs are awesome and if you find something unclear or wrong in them, feel free to let Splunk know using the feedback button at the bottom of their pages!

0 Karma

zach5871
Explorer

Thank you Rich for the very detailed answer, however I still cant seem to get what I'm looking for and suspect I may not have been clear with my question. My search populates the correct data based on my token selection, but I'm trying to make the retrieved results reference a some predefined value. In my site_token static options I set the names to equal a value. So Rainsburg= 00005 for example, and that works for my site token selector. But when my chart populates the data, it shows 00005 rather than Rainsburg. Maybe this clarifies my question or maybe I'm still missing something.

0 Karma

Richfez
SplunkTrust
SplunkTrust

One note, when you change things like this the graph will often say "waiting for input" or something until you actually make a CHANGE to the input. Sometimes changing it to the same thing (a star to a star) won't trigger a proper refresh and you have to type something different, press enter, then try your star again. Every once in a blue moon I have to even totally refresh that browser window. This doesn't happen later or after it's set up, it's an artifact of clicking "Save" or something, as far as I can tell.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...